Port 2019: Unassigned — Home of the Caddy Admin API

Port 2019 sits in the registered port range (1024–49151). IANA has not assigned it to any official service.¹ No RFC governs it. No standards body claims it.

And yet, if you scan the Internet for port 2019, you'll find something: Caddy.

What the Caddy Admin API Does

Caddy is a web server that handles HTTPS automatically — it obtains and renews TLS certificates without configuration. When Caddy v2 launched, it introduced something other web servers lack: a live REST API for configuration changes that take effect without restarting the server.

That API listens on port 2019 by default.

http://localhost:2019

Through this API, you can load a new configuration, modify routes, check reverse proxy status, and inspect the PKI state — all while the server keeps serving traffic. It's Caddy's control plane.²

The port number is almost certainly a timestamp. Caddy v2 was under development in 2019. Whoever picked the default left a small artifact of that moment baked into every Caddy installation that hasn't changed its config.

Why This Port is Dangerous if Exposed

The admin API has no authentication by default. If it's reachable beyond localhost, anyone who can connect can reconfigure your server — change routes, replace TLS certificates, modify everything. Caddy's documentation is blunt about this: do not expose port 2019 to the Internet.³

In practice, most Caddy installations bind the admin API to localhost:2019 only. But misconfigured containers or firewall rules occasionally expose it. Seeing port 2019 open from outside a server is worth investigating.

What Range This Port Belongs To

The registered port range (1024–49151) was historically where IANA assigned ports to specific services upon application. Today, registration is still possible but increasingly informal — many ports in this range are used by applications without any IANA filing.

Port 2019 is one of them. Caddy simply chose it. It works. No one else was using it.

How to Check What's Listening on Port 2019

On Linux or macOS:

# Show what process is bound to port 2019
ss -tlnp | grep 2019

# Or with lsof
lsof -i :2019

On Windows:

netstat -ano | findstr :2019

From another machine:

# Check if port 2019 is open (replace with your target IP)
nc -zv 192.168.1.1 2019

If Caddy is running, you'll get a response from http://localhost:2019/config/ — it returns the current configuration as JSON.

Why Unassigned Ports Matter

The port registry is a coordination mechanism, not a lock. Nothing stops software from using an unassigned port — and plenty does. The registered range has roughly 48,000 ports. Fewer than half are officially assigned. The rest are occupied by convention, squatted by applications, or genuinely empty.

Unassigned ports do one useful thing: they signal uncertainty. When you see an unassigned port open on a machine you're auditing, you don't know what's there. That's the point of checking.